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Abstract -The development of Internet protocols are greatly 
needed as the network security becomes one of the most 
important issues. This brings the need to develop IPv4 into 
IPv6 in order to proceed towards increasing the network 
capacity. 

Now Intruders are considered as one of the most serious 
threats to the internet security. Data mining techniques have 
been successfully utilized in many applications. Many 
research projects have applied data mining techniques to 
intrusion detection. Furthermore different types of data 
mining algorithms are very much useful to intrusion detection 
such as Classification, Link Analysis and Sequence Analysis. 

Moreover, one of the major challenges in securing fast 
networks is the online detection of suspicious anomalies in 
network traffic pattern. Most of the current security solutions 
failed to perform the security task in online mode because of 
the time needed to capture the packets and making decision 
about it. 

Practically, this study provides alliterative survey for the 
enhancement associated with IPv6 in terms of its security 
related functions. It is worthy mentioned that this study is 
concurred with the data mining approaches that have been 
used to detect intrusions. 

Keywords: Network Security, IPv6 Security, Intrusion 
Detection, Denial of Service, Data mining. 

I. Introduction 

Intrusion detection system (IDS) is considered as a type 
of security management system for computers and networks. 
An IDS inspects all inbound and outbound network activity 
and identifies patterns that may indicate a network or system 
detects attack from someone attempting to break into or 
compromise a system[l]. 

One of the major challenges in the security management 
of fast networks is the detection of suspicious anomalies in 
network traffic patterns because of Distributed Denial of 
Service (DDoS) attacks or worm propagation [2] A secure 
network should involve the following: 

• Data confidentiality: Data can be transferred through 
the network and it should be available only for the 
properly authorized users. 

• Data availability: The network should be flexible to Denial 
of Service attacks. 

• Data integrity: Data should retain their integrity starting 
from the moment of transmission to the moment they are 
actually received. Corruption or data loss is not accepted 
either from random events or malicious activity. 

The use of the IPv6 protocol brings new demands for 
typical network protecting mechanisms. 
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The rest of this work is a survey of intrusion detection in 
IPv6 networks that is based on data mining techniques which 
have been utilized in IDSs and is organized as follows: In 
Section 2, a short classification of IPv6 security issue is pre- 
sented, which contains subsections as following: In subsec- 
tion 1, the denial of service attack is discussed. In subsec- 
tion 2, the previous studies of Distributed Denial of Service 
(DDoS) attack are reviewed. In subsection 3, a survey of 
malware attacks in IPv6 Network is presented. In subsection 
4, studies of intrusion 

detection models for IPv6 network are also presented. In 
subsection 5, a survey research in IPv6 Address Security is 
also discussed. In Section 3, the various data mining tech- 
niques that have been employed in IDSs by various research- 
ers are discussed and in Section 4, a conclusion is drown, 
while in Section5, the future work on data mining to intrusion 
detection in IPv6 networks is proposed. 

II. Ipv6 security issues 

As with any new technology the initial phases of IPv6 
implementation are bound to be exploited by cybercriminals. 
From a security point of view, the new IPv6 protocol stack 
represents a considerable advance in relation to the old IPv4 
stack. However, in spite of its numberless virtues, IPv6 still 
continues to be by far vulnerable. In this paper we are going 
to review a number of the areas of IPv6 where security 
continues to be a significant issue. 

A. Denial of Service in IPv6 Network 

One of the major challenges in the fast networks security 
management is the detection of suspicious anomalies in 
network traffic patterns because of Distributed Denial of 
Service (DDoS) attacks. Adistributed denial of service attack 
DDoS only differs with DoS from the method. ADoS is made 
from a system or network while a DDoS attack is organized to 
happen simultaneously from a large number of systems or 
networks[3] as illustrated in figure 1 . 

The denial of service attack is one of the most significant 
threats in the IPv4 and IPv6 networks. These attacks consume 
the network bandwidth and computational resources of the 
victim and the other users on the same network. The denial 
of service attack, generated by utilizing the vulnerabilities in 
the network protocols, affect the performance of the victim 
as well as the other hosts sharing the network [4]. In recent 
time [5], it was proposed that an automatic model can be 
used to analyze the denial of service attacks in security 
protocol, so Meng protocol can be proved with a mechanized 
proof tool (ProVerif). 
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Figure 1. Classification of DoS attacks 



B. Distributed Denial of Service in IPv6 Network 

According to WWW FAQ concerning the security 
issues[6], a Distributed Denial of Service (DDoS) attack uses 
many computers to launch a coordinated DoS attack against 
one or more targets. Denial of service attacks and 
distributed denial of service attacks have become the 
network of one of the main critical problems. According to 
[4], theyproposed a sequential method to detect DDoS attack 
fast which captures increasing deviations from a normal 
behavior at times. 

As stated in previous research, it has been found that 
although IPSec provides security for IPv6 network, there is 
no security at absolute range. Thus, the actual network (SSL/ 
TTL) flow detection and other network technology should 
be merged together to protect attacks or potential threats 
[7]. 

C. Malware Attacks in IPv6 Network 

The number of IPv6 attacks is rather small. As can be 
noticed, a broader adoption to IPv6, it is more likely to increase 
in attacks in addition to a larger focus from attackers. Recently, 
researchers have investigated some possible methods to 
unfold worms in IPv6 network. One of these methods has 
been suggested [8]. It has been found that using analysis 
and simulation may spread P2P-based worms in an IPv6 
internet. Findings show that those worms can spread faster 
and effective in the IPv6 Internet. Consequently, future IPv6 
networks have to be compelled to shore the protection of 
P2P application to prevent the spread of such worms. Based 
on the practice conducted by [9], there are three scanning 
strategies used to investigate the worm propagation in IPv6 
network in local and wide-area topology, where scanning 
time is considered as the one of the most significant factors 
in worm propagation. In addition, IPv6 supports the network 
security through providing greater security against random 
scanning worms based on a very sparse address space. 
Hence, [10] proposed a method called Worm6 used to 
investigate the worm propagation in IPv6, where these layers 
have different functions. 

D. Intrusion Detection Models for IPv6 Network 

Unavoidably, IPv6 will replace the IPv4 as the next 
generation of the Internet Protocol. Despite IPv6 has better 
security than IPv4, there are still some security issues. So the 
significant of IDS for IPv6 networks seem to a critical problem. 

An intrusion detection system (IDS) inspects all 
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inbound and outbound network activity and identifies pat- 
terns that may indicate a network or system detects attack 
from someone attempting to break into or compromise a sys- 
tem. IDS has two main intrusion detection techniques anomaly 
detection and misuse detection. The anomaly detection tech- 
nique determines the abnormality by measuring the distance 
between the suspicious activities and the norm based on a 
chosen threshold. The misuse detection technique looks for 
a malicious signature or pattern depending on a set of rules 
or signatures to detect intrusive behavior. The main different 
between these two IDSs is that the misuse systems cannot 
detect a novel attacks but it has a lower rate of false alerts. 
The anomaly models detect the new attacks but they have a 
higher rate of false alert [11-13]. The general IDS overview in 
real time is depicted in Figure. 2 
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Figure 2. Intrusion Detection Systems Architecture 

According to [14], the firewall based on IPv6 can be uti- 
lized and configured in networking. The authors also men- 
tioned that distributed intelligent technology can be consid- 
ered as good tool for the firewall system as a whole. An 
improved association rule of discovering system under IPv6 
network has been studied by [1 5, 16]. 

The proposed method presented an intrusion detection 
model realization for IPv6 network; the proposed strategy for 
the system revealed good experimental results and improved 
the base Apriori algorithm and optimization which 
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makes association rule mining techniques applicable to IPv6 
network. [17] recommended that security mechanisms should 
be implemented for intrusion detection and packet fdtering 
(firewalls) to improve protection in the IPv6 networks. The 
mechanisms were carried out to improve IPv6 network secu- 
rity to fdter internal-use IPv6 addresses at the edge routers in 
order to avoid various reconnaissance attacks. 

In terms of practice of intrusion detection system on the 
IPv6 transition mechanism, [18] developed the mechanism 
with IDS using tunneling mechanism, where IPv6 is expected 
to discover new resource. 

E. IPv6 Address Security 

Network operators can provide higher service for every 
user with fine granularity source address filtered by protecting 
them from threats and tracing back the malicious host readily. 
[19] observes that granularity source address validation has 
been deployed in various campus networks. In addition, the 
Duplicate Address Detection (DAD) algorithm is used to 
ensure that all configured addresses nodes on link are 
trustworthy. As [20] comment, a pull model DAD is used to 
improve a mechanism to secure DAD in IPv6. 

For the security needs of the next generation Internet 
(IPv6), and based on the [21] NetFlow, data can be gathered 
to design a traffic monitoring system to realize overall 
statistical analysis of the network traffic and thus alerts the 
system of the abnormal traffic. To find the MAC address in 
IPv6 networks, IPv6 uses Network Discovery Protocol (NDP). 
In IPv6 NDP [22], demonstrated a technique for detecting 
spoofing neighboring solicitation and advertisement attacks. 

F. Flooding Attack Using ICMPv6 

One of the most frequent attack types present in IPv4 
networks is a flooding attack. It connotes flooding a network 
device (e.g. a router) or a host with large amounts of network 
traffic. A targeted device is unable to process such large 
amount of network traffic and becomes unavailable or out of 
service. A flooding attack can be local or a distributed denial 
of service attack (DDoS), when the targeted network device 
is being flooded by network traffic from many hosts 
simultaneously. This type of attack can also affect the IPv6 
networks, because the basic principles of the flooding attack 
remain the same [23-26]. 

DDoS flooding attacks are often launched in two type of 
attacks: direct attacks and reflector attacks. In direct attacks, 
the attacker directly sends a flood of bogus packets toward 
the victim through the zombie machines. Direct DDoS attacks 
are classified into two categories: application-layer DDoS 
attacks and network-layer DDoS attacks. Application-layer 
DDoS attacks encompass: HTTP flood, HTTPS flood, FTP 
flood, etc. Network-layer DDoS attacks encompass: TCP 
flood, UDP flood, ICMP flood and SYN flood. In reflector 
attacks, the attacker sends request messages to reflector 
machines through zombie machines, spoofing the source IP 
address of the victim server. As a result, the reflector machines 
send their replies to the given address causing packet flooding 
at that site which is the victim server. The well-known reflector 
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attacks are ICMP ECHO reply flood, SYN ACK (RST) flood, 
DNS flood, Smurf attack and Fraggle attack [27]. Figure 
3 shows direct DDoS and reflector DDoS attacks. 




(b) 

Figure 3. The architecture of flooding DDoS attacks: (a) direct, (b) 
reflector. 

III. Techniques of Anomaly -Based Intrusion Detection 
System 

In this section we review different techniques of Anomaly 
based IDS. The most important are Data mining based 
detection, Statistical anomaly detection, Knowledge based 
detection, and Machine learning based detection. The 
complete classification of ABIDS is shown in the Figure 4. 

As IDS can only detect known attacks, but it cannot 
detect insider attacks, the better solution for an IDS can be 
Data Mining at its core is "pattern finding" and is defined as 
"the process of extracting useful and previously unnoticed 
models or patterns from large data stores". Data mining is the 
latest introduced technology of intrusion detection. In 
addition, data-mining process tends to reduce the amount of 
data that must be retained for historical comparisons of 
network activity, creating data that is more meaningful to 
anomaly detection [28-3 1]. 
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Figure 4. Taxonomy of Anomaly based Intrusion Detection System 



IV. Employed Data Mining Techniques In IDSS 

The techniques of different data mining are categorized 
based on their functions, preference criterion, representation 
and algorithms [32]. Additionally, data mining system provide 
the means to perform data summarization and visualization, 
for aiding the security analyst and identifying areas of 
interest. Common representations for data mining techniques 
include rules, decision trees, linear and non-linear functions 
including neural networks, based examples and probability 
models [32]. Furthermore, it has been suggested that a novel 
data mining approach, (i.e., Bi-clustering) potentially 
contributes to creating a better and more effective way of 
Intrusion Detection Systems[33]. 

Security products such as Firewalls and Network 
Intrusion Detection Systems have less support for the IPv6 
protocols than for their IPv4 counterparts either in terms of 
features or in terms of performance [34] 

An intrusion detection algorithm and its architecture 
(two-layered, global central layer and a local layer, together 
performing data collection, analysis and response), based 
on data mining and useful in real time for network 
security, is proposed be HAZEM M. EL-BAKRY et al [35]. 
By fdtering out the known traffic behavior (intrusive and 
normal) this IDS focuses on analysis on unknown data 
thereby reducing false alarm rates. 

Tich Phuoc Tran et al [36] proposed an approach called 
"A Multi-Expert Classification Frameworkwith Transferable 
Voting for Intrusion Detection". This model, aimed to im- 
prove the strategies to detect different anomalies and intru- 
sions emphasized on different attribute selection strategies, 
defined a new multi expert classification system to test the 
limits in accuracy and robustness in existing systems and 
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showed that some learning algorithms that use certain set of 
features can provide superior detection capability for a given 
attack category. A set of five local classifiers, created to detect 
five different classes including Normal, Probe, DoS, U2R and 
Pv2L and outputs from these experts are then integrated by 
different voting methods. Finally concluded that a) the 
weighted voting strategies outperform simple majority voting, 
b) with Transferable voting approach, the model achieved 
noticeable performance improvement compared with other 
conventional techniques, in terms of detection accuracy and 
system robustness, misclassification cost and processing 
overheads for "unknown" instances. This may not be an 
ultimate choice for security, but is effective on different 
situations. 

V. Conclusion 

The main purpose of this paper is to explore the most 
recent literature which discussed the intrusion detection 
system based on data mining approaches. Based on literature 
review, it is found that data mining algorithms such as 
Classification, Link Analysis, and Sequence Analysis are very 
helpful in intrusion detection. Recently, many networks begin 
with the deployment of the ipv6 after the exhaustion of the 
ipv4 addresses networks. So, as with any new technology, 
the initial stages of IPv6 implementation are bound to be 
targeted by cybercriminals. 

Denial of service attacks and distributed denial of service 
attacks have become the network for one of the main critical 
problems. Network operators can provide higher service for 
every user with fine granularity source address filtered by 
protecting them from threats and tracing back the malicious 
host readily. 

—ACEEE 



Full Paper 



ACEEE Int. J. on Network Security, Vol. 4, No. 1, July 20 13 



VI. Future Work 

The future work will investigate more advanced data min- 
ing techniques for effective and efficient detection of intru- 
sion in IPv6 network. The Hybrid Intelligent System will be 
considered to enhance the intrusion detection in the IPv6 
network as it has the capability of solving most of the un- 
solved problem in the field of Network Intrusion Detection 
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